OvmfPkg: Enable secure-boot support when SECURE_BOOT_ENABLE==TRUE

Adjust PCD settings, library mappings and driver usage
to enable secure-boot when -D SECURE_BOOT_ENABLE=TRUE
is used on the build command line.

Signed-off-by: lgrosenb
Reviewed-by: jljusten
Reviewed-by: mdkinney

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13093 6f19259b-4bc3-4df7-8a09-765794883524

1 files changed, 44 insertions, 1 deletions

diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 1ee74376ec..be10ba6f6c 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -106,7 +106,18 @@
 

   ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf

   LocalApicLib|UefiCpuPkg/Library/BaseXApicLib/BaseXApicLib.inf

-  DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf  

+  DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf

+

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf

+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf

+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf

+!endif

+

+[LibraryClasses.common]

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

+!endif

 

 [LibraryClasses.common.SEC]

   DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf

@@ -170,6 +181,9 @@
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf

   UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf

   DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf

+!endif

 

 [LibraryClasses.common.UEFI_DRIVER]

   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf

@@ -223,7 +237,11 @@
   gEfiMdePkgTokenSpaceGuid.PcdMaximumGuidedExtractHandler|0x10

   gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxFvSupported|6

   gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxPeimPerFv|32

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x10000

+!else

   gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x400

+!endif

   gEfiMdeModulePkgTokenSpaceGuid.PcdMaxHardwareErrorVariableSize|0x8000

   gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0xc000

   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize|0xc000

@@ -240,6 +258,13 @@
   gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F

 !endif

 

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot

+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x05

+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05

+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05

+!endif

+

 !ifdef $(SOURCE_DEBUG_ENABLE)

   gEfiSourceLevelDebugPkgTokenSpaceGuid.PcdDebugLoadImageMethod|0x2

 !endif

@@ -311,7 +336,18 @@
   }

 

   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf

+

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {

+    <LibraryClasses>

+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf

+      BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

+      OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf

+	}

+!else

   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf

+!endif

+

   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf

   PcAtChipsetPkg/8259InterruptControllerDxe/8259.inf

   UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf

@@ -453,3 +489,10 @@
   }

 !endif

 

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf {

+    <LibraryClasses>

+      BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf

+      OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf

+  }

+!endif